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Description 

Background to the invention 

[0001] This invention relates to a license manage- 
ment mechanism for a computer system, for controlling 
use of licensed software. 

[0002] Software is normally licensed rather than sold 
in order that restrictions on unauthorised use can be le- 
gally enforced. Various schemes have been tried to 
make the software enforce these restrictions itself, in- 
cluding copy protection, hardware keys, etc., but the 
current trend is to the use of license keys that are pack- 
ets of data which permit the software to work only on a 
particular machine. 

[0003] One way in which this has been implemented 
is through the provision of a mechanism referred to as 
a license manager to which the handling of these license 
keys is delegated. By centralising the handling of the 
license keys it is possible to restrict the use of software 
not just to a single machine but to a network of ma- 
chines. This provides additional flexibility for the user as 
well as providing the potential for more sophisticated 
control over the use of the software within a user organ- 
isation. 

[0004] Central to the use of license managers to con- 
trol the use of software in this way is the ability to identify 
which machine the license manager is running on. If this 
were not done it would be possible to obtain license keys 
for use on one machine and use them on any number 
of machines. Various schemes have been used to 
achieve this identification, including serial numbers built 
into the machine processor, use of Ethernet DTE ad- 
dresses, etc. 

[0005] US-A-4924378 describes a licence storage 
key, for securely storing information about what licences 
are available. The licence storage key is connected to 
an external mouse/keyboard port. Before an application 
program can be run, it accesses a licence management 
daemon, which in turn accesses the licence storage key 
to have a licence assigned. Also, while the application 
program is running, it periodically checks with the dae- 
mon, to ensure that a licence is still assigned to it. This 
ensures that if the user removes the key while a program 
is running, the right to run that program is lost. However, 
a problem with this is that the licence storage key is a 
relatively complex device, capable of securely storing a 
number of licences, one for each program. 
[0006] The object of the present invention is to provide 
a novel licence management mechanism for a computer 
system, whereby this problem is avoided. 

Summary of the invention 

[0007] According to the invention there is provided a 
computer system comprising: 

(a) a host computer; 



(b) a security device removably coupled to an ex- 
ternal port of the host computer; and 

(c) a licence manager, running within the host com- 
puter, the licence manager including means for re- 

5 sponding to requests from application programs by 
checking whether those application programs are 
licensed and, if so, granting permission for those 
application programs to run; 

10 characterised in that 

(d) the security device contains a host identity; 

(e) the licence manager uses a licence table, stored 
within the memory of the host computer, for check- 
's ing whether application programs are licensed; and 

(f) the licence manager includes means for period- 
ically interrogating the security device, to obtain 
said host identity, and for withdrawing permission 
for application programs to run if the host identity 
does not match an expected identity value held in 
the licence manager. 

Brief description of the drawings 

[0008] Figure 1 is a block diagram of a computer sys- 
tem embodying the invention. 

[0009] Figure 2 is a flow chart showing the operation 
of a licence manager in response to a request to use a 
feature. 

[001 0] Figure 3 is a flow chart showing a host identity 
checking function performed by the license manager. 

Description of an embodiment of the invention 

[0011] One embodiment of the invention will now be 
described by way of example with reference to the ac- 
companying drawing. 

[0012] Referring to Figure 1 , the system comprises a 
number of computers 10, linked together by means of 
communications links 12 to form a data processing net- 
work. 

[0013] Each of the computers runs an operating sys- 
tem 14 which controls and coordinates the operation of 
the computer, and communications software 16 which 
allows the computer to communicate with the other com- 
puters in the system over the links 12. Each computer 
also runs a number of applications 1 8 (where an appli- 
cation is any logical software entity). 
[001 4] At least one of the computers runs a program 
referred to herein as the license manager (LM) 20. The 
function of the LM is to regulate the applications within 
a particular domain, so that each application can be 
used only to the extent permitted by licenses granted to 
the system owner. The domain comprises those appli- 
cations that can communicate with the LM. In this ex- 
ample, the domain extends over a multi-computer net- 
work, but in other examples it could consist of a single 
computer. 
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[0015] Each application has a number of features as- 
sociated with it. A "feature" is defined herein as an as- 
pect of an application that is subject to license control 
by the LM. A feature may, for example, simply be the 
invocation of the application by a user. However, more 
complex features may be defined such as number of us- 
ers, number of communication links and database size. 
[0016] Each application also has an application key 
associated to it, which is unique to the application. As 
will be described, application keys are used to ensure 
security of communication between the applications and 
the LM. 

[0017] The LM has a private area of memory in which 
it maintains a license table 22 and a log 24. 
[0018] The license table holds a number of license 
keys that have been issued for this system. Each license 
key contains the following package of information:- 

Machine identifier: the identity of the computer on 
which the license manager is permitted to run. 

Expiry date: the date until which the license key is 
valid. 

Limit: the number of units of a particular feature that 
are licensed (eg the number of users, number of 
communication links, or database size). 

Application key: the key value of the application to 
which the license key relates. 

Signature: a cryptographic signature which ensures 
that the license key cannot be changed without de- 
tection. 

[0019] Whenever one of the applications requires to 
use a feature, it sends a request message to the LM. 
The request message includes: 

the identity of the feature required 

the number of units of the feature required 

the application key 

a timestamp value. 

[0020] Referring to Figure 2, when the LM receives 
this request message, it checks that the timestamp val- 
ue is current. Assuming the timestamp value is current, 
the LM then checks whether there is a license key in the 
license table for the required feature. 
[0021 ] If there is a license key in the table, the LM then 
checks whether the expiry date of the license has 
passed, and checks the signature of the license key to 
ensure that it has not been modified. The LM also 
checks whether the required number of units are avail- 
able for the feature (ie whether the number of requested 
units plus the number of units already granted is less 
than or equal to the limit value in the license key). 
[0022] If all these checks are satisfactory, the LM re- 



turns a "license granted" message to the application, 
sealed under the application key. The LM keeps a record 
of the number of units granted for each feature. If, on 
the other hand, any of the checks fails, the LM returns 

5 a "license denied" message to the application. The LM 
also writes a record in the log 24 to indicate whether a 
license has been granted or denied. 
[0023] If the application receives a "license granted" 
message, it proceeds to use the requested features as 

10 required. If, on the other hand, it receives a "license de- 
nied" message, it performs one of the following actions, 
as determined by the designer of the application: 

the application may simply shut itself down. , 
15 - in the case where the license was denied because 
there were not enough units of the requested fea- 
ture available, the application may display a "call 
again later" message to the user, 
the application may continue running in a reduced 
service mode eg a demonstration mode. 

[0024] When an application terminates, it sends a "li- 
cense relinquish" message to the LM. The LM will then 
withdraw any licenses issued to this application, making 
the units available to other applications. 
[0025] Each application is required to send a revali- 
dation message periodically to the LM, to re-validate its 
license. For example, a revalidation message may be 
required every 5 minutes. If the application does not re- 
ceive any response to this message, it assumes that it 
has lost contact with the LM, and shuts down or contin- 
ues in a reduced service mode. 
[0026] The LM periodically checks whether it has re- 
ceived revalidation messages from all the application to 
which it has granted licenses. If a revalidation message 
has not been received from an application, the LM as- 
sumes that the application has failed, and therefore 
withdraws the license, making the units available to oth- 
er applications. 

[0027] In order to ensure that unauthorised copies of 
the LM cannot be run on other systems, it is necessary 
to provide a way of identifying the machine on which the 
LM runs. This Is achieved by means of a security iden- 
tification device (SID) 26, which stores an identifier 
uniqueto this device, referred to as the secure host iden- 
tifier. The SID is attached to the computer 1 0 by way of 
an external port 28. In this example, the port is a stand- 
ard parallel printer port, and the SID is designed so that 
a printer may be plugged into the back of the SID, so 
that both the printer and SID share the same port. Mes- 
sages for the SID are identified by special commands. 
[0028] In other embodiments of the invention, the SID 
may be attached to a special dedicated port, or to some 
other type of standard port. The port may be serial rather 
than parallel. 

[0029] Referring to Figure 3, in orderto check the host 
identity, the LM sends a request message to the SID at 
regular intervals, requesting it to supply the secure host 
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identifier. 

[0030] The SID responds to this by returning a mes- 
sage encrypted under a key known onty to the SID and 
the LM. 

[0031 J The message contains: 
the secure host identifier 

a sequence number, which is incremented each 
time the SID returns a message. 

[0032] When the LM receives this message, it de- 
crypts it, and checks the sequence number to ensure 
that it is the next expected sequential value. This en- 
sures that It is not possible to replace the SID by a pro- 
gram which intercepts the requests from the LM and re- 
turns a copy of the SID's response, or which passes the 
request to a SID on another system. 
[0033] The LM then checks whether the returned se- 
cure host identifier matches the machine identifiers of 
the license keys held in the license table 22. 
[0034] If the LM does not receive any response to a 
request to the SID, or if the response does not contain 
the correct sequence number, or if the secure host iden- 
tifier does not match the machine identifiers in the li- 
cense keys, the LM closes down. This means that the 
LM will not issue any more licenses to applications. Also, 
because the LM will not now respond to the revalidation 
message from the application, any outstanding licenses 
are effectively cancelled. 

[0035] In summary, it can be seen that the LM will is- 
sue licenses, permitting applications to operate, only if 
a security identification device SID is connected to the 
computer, and if the machine identifiers in the individual 
license keys issued to the LM match the secure host 
identifier held in the SID. 

[0036] It should be noted that the LM can grant licens- 
es to applications running in any of the computers 1 0 in 
the network, not just to applications running in the same 
computer as the LM. The number of licenses that may 
be granted is restricted by the limit in the license keys. 
Thus, for example, if a license key sets a limit on the 
number of users, then the total number of users of a par- 
ticular application in the network cannot exceed this lim- 
it. 

[0037] The use of the device for the provision of the 
identifier to the license manager has several very impor- 
tant advantages: 

if the machine to which the device is attached fails, 
the device can be transferred to another machine 
(new keys are not required) 

the supplier of the device can retain title to the de- 
vice, so in the event of the machine being sold the 
device has to be returned to the supplier. 
Hence all software on the machine that would only 
work with a license manager will no longer function 
as required by the terms of supply of the software 



10 



15 



20 



25 



which is licensed to a legal entity not to a machine. 

if the user of the software wishes to change the li- 
cense he has to reduce its capability, the device can 
be replaced and new keys issued. Current schemes 
do not provide for the secure revocation of the keys. 

the device can be used to provide secure identifica- 
tion on standard hardware platforms which do not 
inherently provide such a facility, and hence can en- 
able the use of license management on such hard- 
ware. 

[0038] It should be noted that although the embodi- 
ment of the invention described above is a multi-com- 
puter system, the invention is equally applicable to sin- 
gle processor systems, or to multi-nodal systems, com- 
prising a plurality of multi-processor nodes. 



Claims 

1 . A computer system comprising: 

(a) a host computer (10); 

(b) a security device (26) removably coupled to 
an external port of the host computer; and 

(c) a licence manager (20), running within the 
host computer, the licence manager including 
means for responding to requests from appli- 
cation programs by checking whether those ap- 
plication programs are licensed and, if so, 
granting permission for those application pro- 
grams to run; 

characterised in that 

(d) the security device contains a host identity; 

(e) the licence manager uses a licence table 
(22), stored within the memory of the host com- 
puter, for checking whether application pro- 
grams are licensed; and 

(f) the licence manager includes means for pe- 
riodically interrogating the security device, to 
obtain said host identity, and for withdrawing 
permission for application programs to run if the 
host identity does not match an expected iden- 
tity value held in the licence manager. 



so 2. A system according to Claim 1 wherein communi- 
cation of the host identity between the security iden- 
tification device and the licence manager is protect- 
ed by encryption. 

55 3. A system according to Claim 2 wherein said host 
identity returned by the security identification device 
is encrypted together with a sequence number 
which is incremented each time said host identity is 
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Revendlcatlons 

1 . Systeme d'ordinateur(s) comprenant : 

5 (a) un ordinateur hote (10) ; 

(b) un dispositif de securite (26) couple, de fa- 
con a pouvoir en etre retire), a un port d'acces 
externe de I'ordinateur hote ; et 

(c) un gestionnaire de licences (20), s'execu- 
'0 tant a I'interieurde I'ordinateur hote, le gestion- 
naire de licences comportant un moyen destine 
a repondre a des demandes emanant de pro- 
grammes d'application en verifiant si ces pro- 
grammes d'application sont ou non sous licen- 

'5 ce et, s'il en est ainsi, permettant d'accorder la 

permission d'executer ces programmes 
d'application ; 

caracterise en ce que : 

20 

(d) le dispositif de securite contient une identite 
d'hote ; 

(e) le gestionnaire de licences utilise une table 
de licences (22) stockee a I'interieur de la me- 

25 moire de I'ordinateur hote, afin de verifier si les 

programmes d'application sont ou non sous 
licence ; et 

(f) le gestionnaire de licence comporte un 
moyen servant a interroger periodiquement le 

30 dispositif de securite, afin d'obtenir ladite iden- 

tite d'hote, et a retirer la permission d'executer 
des programmes d'application si I'identite d'ho- 
te ne concorde pas avec une valeur d'identite 
attendue, qui estcontenue dans le gestionnaire 
35 de licences. 



returned. 

4. A system according to any preceding claim wherein 
the licence manager regulates the usage of soft- 
ware items within a network of computers. 



Patentanspruche 

1. Rechnersystem mit 

a) einem Host-Rechner (10), 

b) einer Sicherheitsvorrichtung (26), die losbar 
mit einem externen Anschluss des Host-Rech- 
ners gekoppeit 1st, und 

c) einem Lizenz-Manager (20), der im Host- 
Rechner lauft und der eine Vorrichtung auf- 
weist, die auf Anfragen von den Anwendungs- 
programmen anspricht, und die pruft, ob die 
Anwendungsprogramme lizenziert sind, und, 
wenn dies bejaht wird, die Genehmigung erteilt, 
diese Anwendungsprogramme in Lauf zu set- 
zen, 

dadurch gekennzeichnet, dass 

d) die Sicherheitsvorrichtung eine Host-ldenti- 
tat enthalt, 

e) der Lizenz-Manager eine Lizenz-Tabelle (22) 
verwendet, die in dem Speicher des Host- 
Rechners gespeichert ist, und die pruft, ob An- 
wendungsprogramme lizenziert sind, und 

f) der Lizenz-Manager eine Vorrichtung zum 
periodischen Abfragen der Sicherheitsvorrich- 
tung aufweist, urn die Host-ldentitat zu erzie- 
len, und urn die Genehmigung fur das Ablaufen 
der Anwendungsprogramme zuruckzuziehen, 
wenn die Host-ldentitat nicht mit einem erwar- 
teten Identitatswert ubereinstimmt, der im Li- 
zenz-Manager enthalten ist. 

2. System nach Anspruch 1 , bei dem eine Verbindung 
der Host-ldentitat zwischen der Sicherheits-ldenti- 
fiziervorrichtung und dem Lizenz-Manager durch 
Geheimverschlusselung geschutzt ist. 

3. System nach Anspruch 2, bei dem die Host-ldenti- 
tat, die durch die Sicherheits-ldentifiziervorrichtung 
zuriickgefuhrt wird, zusammen mit einer Folgezahl 
verschlusselt ist, die jedesmal, wenn die Host-lden- 
titat zuriickgefuhrt wird, urn einen Schritt weiterge- 
schaltet wird. 

4. System nach einem der vorausgehenden Ansprii- 
che, bei dem der Lizenz-Manager die Verwendung 
von Software-Datensatzen innerhalb eines Netz- 
werkes von Rechnern regelt. 



2. Systeme selon la revendication 1 , ou la communi- 
cation de I'identite d'hote entre le dispositif ^identi- 
fication de securite et le gestionnaire de licences 

40 est protege par cryptage. 

3. Systeme selon la revendication 2, ou ladite identite 
d'hdte, renvoyee par le dispositif d' identification de 
securite, est cryptee en meme temps qu'un numero 

45 de sequence, qui est increments a chaque fois que 
ladite identite d'hote est renvoyee. 

4. Systeme selon Tune quelconque des revendica- 
tions precedentes, ou le gestionnaire de licences 

50 regule I'usage d'elements logiciels a rinterieur d'un 
reseau d'ordinateurs. 
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Fig.1. 
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Fig. 2. 
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Fig.3. 
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